Deployment Solution

I have DS 7.1, and I want to start creating and deploying images.  My PXE settings are all set, PXE services are on and working, and I can get a computer to boot to my WinPE pre-boot environment.

My question is, how does DS know about this computer that I want to capture an image from?  In 6.9 it would show up under "New Computers" and I could drag and drop it onto the "Create Image" job.

There are a few options but first do you have the Altiris Agent installed on this computer that you want to capture an image from?

Nope, I don't have the agent installed on the machine I want to image.  Will that work?  I've heard both opinions.  I'm also curious as to when sysprep is run on the computer I want to image.  Do I run it before I capture the image like I did before 7.1, or is is a part of the capture process that DS performs?

If you're making an image of a computer, go ahead and install the Agent on the computer.  You will run the 'Prepare for image capture' task on the computer, which strips out the Agent GUID and runs sysprep.  Without this step, you will have duplicate Symantec Management Agent GUIDs and duplicate Microsoft SIDs.  So your (simplified) process is: Prepare for image capture; reboot to PXE; capture image.

You do not need to have the agent installed on a computer to image it.
Home > Deployment Portal
Slide-out Menu > PXE Server Configuration
Check the box that says 'Respond to unknown computers'
Altiris will now provide the Initial Deployment menu to computers that receive PXE offers from Altiris PXE servers
(You can set up the Initial Deployment menu at Home > Deployment Portal, slide-out menu > Initial Deployment)

If you don't want PXE to respond to unknown computers, computers must be imported first by methods like AD Synchronization or importing from a properly-formatted .csv.

So in DS 6.9, the process for making a computer managed was:
*Plug in a new computer
*Have it boot to PXE and sit in a wait state
*Computer shows up as a managed computer in DS Console
*Assign imaging job from DS
*Computer reimages
*Computer boots to Windows

In 7.1, the difference is:
*Plug in a new computer
*Have it boot to PXE, where it receives Initial Deployment menu
*Choose a job or task from the Initial Deployment list before it times out and boots you to Windows
*Computer reimages, if that's what you chose
*Computer boots to Windows and shows up as a managed computer in the Symantec Management Console

Does this answer your question?

I've made a bit of progress since first posted the question.  I've found that when I boot to my PXE environment, the computer is given an autogenerated name of minint-*******.   It shows up in the deployment portal page, and i can drag it onto my create image job, and the image is captured.  I'm creating a Backup Image at the moment, so I don't have the agents on, and is has not been sysprepped.

I"m not sure I understand the concept of Initial Deployment though.  Still plowing my way through all this.

Initial deployment is just a special menu shown to network-booted computers not previously known to your SMP server.

I tried the intial deployement.. but it will not pop out a menu and ask which task to run. It just hang there..

We need a LOT more information about what you want to do, and don't get ahead of yourself.

We have created a "Support quick start" in the KB because the official one is outdated:

http://www.symantec.com/business/support/index?page=content&id=HOWTO30267&actp=search&viewlocale=en_US&searchid=1286266292191

This can get you through some basics, but we need to answer a few questions here too.

First, a BACKUP is not what you think.  A Backup image will not capture images the same way and will not replicate them at all which can confuse people.  A backup image is designed to be just that - a single-point backup of a single workstation that will nto be used for any one else anywhere else.

It's fine for testing capturing of images, but it's not very useful.

Second, Initial Deployment is a means by which unknown computes can receive an image.  This is critically important to understand as apposed to known, or managed computers.  The advice above to install the agent on a system is to create a managed computer and a job for that computer.  If you have new, bare-bones, or whatever systems that you simply want to image "out of the box", this is what Initial Deployment is for.

If your computer is actually already managed, they will never receive the initial deployment menu.  NOTE: Once a system has checked into WinPE once, it has that MININT record created... and it is now a known computer.  That's right, it is now "known" by the NS, and therefore, on next boot, will not get the initial deployment menu.  NOTE:  To remove a "known computer" from the console, you have to delete it in the NS, and cycle the pxe/sbs services.  This is because the PXE services remember all known systems in RAM "remotely" from the NS and a deleted computer from the console can hardly send an update to the PXE server (yeah, we understand that has to be fixed, but it's not right now).  So, if you delete a computer to make it unknown, cycle SBS services - all 4.

hmmm... my report isn't attached.  I'll get that when I'm awake tomorro - remind me.

The report is a quick-list of all "MININT" records, along with UUID, Ser#, MAC, IP.  This way, for all of you used to managing "new" computers, you can get a quick list of all of those that booted.  One at a time is no problem really, but what if you have 5?  Yeah, it gets ugly quick.

Remind me.

As for how it's known, the initial question - that's called "Basic Inventory".  Now that DS is an integral part of the NS, every time we boot a system, instead of the AClient or DAgent running, we run the Altiris Agent.  In WinPE this is called the PECTAgent, but it does essentially the same thing - it's just modified for PE (and probably slightly misnamed, but we'll not go there...). 

The Altiris Agent scans the system similar to how the DAgent did, and sends up to the NS "basic inventory" (as opposed to "inventory" which is far more detailed than what DS captured and is culled via "Inventory Solution").  That is what is used to create the computer account in NS which, at the time you are in WinPE is "named" a random generated name starting with MININT.

PS>  That MININT name changes with every reboot - including of the same system.  Here's the cool thing - if you reboot a MININT record to the NS, the NAME in the console will stay the same, but the name on the client will be different - because after the reboot, the WinPE generated a different random name.  Makes it REALLY easy to find in the console.  THAT is what initially prompted that report I made, and need to find...  It wont take me time once I'm in the office...

Anyway, hope that helps a bit.  Keep posting - we'll get you all straightened out!

Thanks.. After reading your comment it bring a level up of understanding how DS 7.1 PXE works. Let me try on my demo lab. Will update the result.

This is a great comparison, but actually not quite correct.  Please read my post below.  And here is more information.

As soon as the computer checks in with the PECTAgent in Automation, it is a managed computer, long before the Initial Deployment is completed.  The difference is that, since it was not known at the begging, we made a direct call to a DS Web Service for the Initial Deployment menu at that time.

When an NS Agent checks in, it quickly is "known" by the NS whether or not it is a known system.  As soon as the agent gets the reply from the NS that "Hey, I don't know you!" it does, essentially, one thing: 1) it reports to the NS it's inventory and requests a GUID.  The PECTAgent, our modified NS Agent for WinPE adds one more step into this process: 2) it contacts the DS Web Service and pulls down the Initial Deployment menu (if that option is enabled).

Thus, as soon as the PECTAgent launches (almost) the system is now a "known computer"

But it has that funky name of MiniNT...

 

Happy hunting all!

http://www.symantec.com/connect/downloads/ds-support-tools-71013-report-pack

 

One of the 5 is the one I mentioned, which will list your MiniNT systems while in Initial Deployment.  Sorry, I didn't break out the reports one-by-one, but they're easy to delete if you don't like/need the others.

I tried to download but i think my account is restricted to download.

I apologize if this is slightly off-topic, but it's one of the few remaining issues I have with the DS 7.1 imaging process and I don't see it called out in any of the provided links.

The Copy Files task - I want to use this for copying drivers from a package server to the machine that was just imaged.  Unfortunately, it does not seem to accept any UNC paths with variables in the name, so I can use this task to copy files from the local site server.  If I can pull an image from a site server I really should be able to copy files from a site server as well.

The reason I want to use the built-in Copy Files task is because I can include credentials with the task.  I've seen people post some other VBscript options, but that's been real hit or miss for me.

None of this would be an issue, though, if we could still map an "express" share in the Automation environment like we could in DS 6.9.  Unless I'm missing it, it does not seem like you can make modifications to the WinPE boot image in 7.1 like you could in 6.9.  I don't see how you can map drives or add additional files.  Someone wrote up a cool article on adding the pcAnywhere Thin Host to WinPE in 6.9, but I don't know if that's even possible with 7.1 because it doesn't seem like you can edit that image.

Are these limitations, or am I just missing something?

I don't very often post things out here, so it's possible that it takes some time for the posts to kick-in.  ??  Anyone else know if posting takes time?

You can use it, but the trick is to know what drive the production drive is.

In the past, we always used FIRM to copy files from the environment to a newly imaged system.  This is because there is a switch to say "Prod:" and that instructs FIRM to find the production system.

Now, we rescan the drives after imaging, and the newly imaged drive, already active, actually gets a drive letter at the end of imaging.  Thus, if you know what letter it will be (i.e. D:), you can use Copy Files.  However, you have to be sure.  Otherwise, you'll have to use FIRM

 

As for your other questions - yeah, we don't support tweaking your automation environment like you used to.  You CAN map a drive in automation, but you have to script that.  At least it's a simple script......

I hope that helps.

The problem is that I don't want to map a drive with my password in the clear, ever.  There was another person that posted here that had success running a VBscript immediately after the image task and those credentials were somehow retained.

I have no concerns about copying to the production drive with the Copy Files task like I used to (still do) with FIRM.  My concern is that I can't use a token for the site server name in the source UNC path.  I don't want to copy drivers across a WAN link using one static UNC path - I'd like to use the local site server.  When you use a % in the UNC path of a Copy Files task you get an error that it's not a valid path, even if that token would work just fine in WinPE via a script.

First, one of the tasks in the Task Pack I just posted will tokenize your Task Server, so you can pull from a closer server.  It's not public yet I don't think, but look for it under downloads and DS 7.1.013 task pack or something.  OR, go here to get the TASK.XML from the KB:

http://www.symantec.com/docs/HOWTO26135

One of those will create a token for the Task Server.

Anyway, you can VBScript something and encrypt it, but then you have to copy the script down and run it... messy, but works.

Also, you could use Copy File to get the file onto the X drive (RAM) and then a script to move it to the new production drive.  That saves a LOT of effort, and I'd recommend that one.

Let me know if any of these are acceptable.

Certain content types remain in moderation until they are published by a Connect admin - Thomas's download is available now and you shouldn't have any problems accessing it.

Cheryl

See my comment above ;)

Cheryl

I am in the pilot phase of CMS 7.0 right now. Not currently using initial deployment because then EVERYONE would be an unknown and i don't need people suddenly getting sucked into WinPE just because they rebooted... I don't have the luxury of a separate vlan/site/whatever to do my testing on.

1) I went through the tech article's suggestion to get my site server to report its actual name rather than "Server Name" at the PXE menu, but that didn't seem to help.  sure would be nice to make sure i'm booting from the intended server at a glance rather than consulting a chart of IP addresses during my pilot program!

2) I would rather have new, unknown machines show up in the console as their serial number/service tag rather than "MININT-#####".  In DS 6.9 at my last job, where we did NOT use initial deployment, this was the normal behavior.  You could take a brand new machine out of the box, put the nic first in the boot order, hit F8 and boot into PE, and it would show up in the DS console's New Computers section as its serial number.  I don't know if it was a switch set by the consultant who initially set us up, but it was one of the first things I noticed at my current job, where we run DS 6.8.  That is, the winpe clients on the ds 6.8 server show up in the console as MININT-#####, not their serial.  Having this behavior would eliminate the unnecessary complication of having to go look at a report all the time when imaging multiple machines - especially when someone at another location happens to start imaging a machine at the same time as you, and you don't know about it.

First, it would be nice to have something "show" on a WinPE system of what task server it's reporting to "at a glance".  I don't know if we can pull that off easily or not, but I suspect it can be done and is worth a suggestion.  Even if it simply shows up in the CMD prompt.  The problem is that it doesn't happen right-off, and we only know what Task Server you're connected to after the agent connects, making that a bit harder to do in the CMD prompt.  Again though, still it's worth suggesting.

 

Second, in DS 6.x we can customize how systems show up in the console.  It's not quite so easy in NS 7.x where DS is simply a snap-in component to a larger product.  MOST of the time people want to see a machine name when they look in the console at a computer, and when in WinPE, the MININT names is the system name for new systems.  The best way around this is to use predefined computers (pain-in-the-neck currently, but being resolved, almost positivley in the next major release).  If you predefine a computer, then it shows up as the name you intend for it to be, rather than the name it actually is at the time that it's in WinPE.

Having it show up as the Serial# is a worth-while request, just not one I perceive as being possible in the near term because of the customizations necessary for this one relatively small issue as compared to all the other uses of the NS Console.

Still, it never hurts to ask.  Submit it as a feature request through this forum.  :D  Who knows??

for #1, i was talking about the stage before it even begins loading WinPE - immediately after the machine gets an IP address as part of the PXE boot, and is prompting you to press F8 to get to the PXE menu.  Right now, it just says "Server Name" instead of "SITESERV01" or whatever the pxe server is named.

once you're all the way into WinPE, it's a simple matter of reading the ALTIRIS_PXE_SERVER variable (found by typing SET at the cmd prompt).  ie: ECHO %ALTIRIS_PXE_SERVER% at the dos prompt.

I wonder, for #2, if there's a way to alter the startup scripts in WinPE itself to make it name itself by its serial (perhaps through a WMI call or a regedit) rather than "MININT-<RND>".  time to go digging, it seems... 

oh, and speaking of SET - i find it humorous that ALTIRIS_VER=DS6.9 when that version exists nowhere in our environment.  :)  less humorous is COMPUTERNAME=MINWINPC - especially since when you type HOSTNAME at the prompt, you get its current MININT name.